Merge "Add ability to install helm charts"
diff --git a/.kitchen.yml b/.kitchen.yml
index 5a065c2..7488a40 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -18,9 +18,11 @@
- name: linux
repo: git
source: https://github.com/salt-formulas/salt-formula-linux
+ branch: <%=ENV['GERRIT_BRANCH'] || 'master' %>
- name: contrail
repo: git
source: https://github.com/salt-formulas/salt-formula-opencontrail
+ branch: <%=ENV['GERRIT_BRANCH'] || 'master' %>
state_top:
base:
diff --git a/kubernetes/control/init.sls b/kubernetes/control/init.sls
index 18d8b11..a4570d6 100644
--- a/kubernetes/control/init.sls
+++ b/kubernetes/control/init.sls
@@ -1,8 +1,14 @@
{% from "kubernetes/map.jinja" import control with context %}
include:
+ {%- if control.endpoints is defined %}
+ - kubernetes.control.endpoint
+ {%- endif %}
{%- if control.job is defined %}
- kubernetes.control.job
{%- endif %}
+ {%- if control.secret is defined %}
+ - kubernetes.control.secret
+ {%- endif %}
{%- if control.service is defined %}
- kubernetes.control.service
{%- endif %}
@@ -15,9 +21,6 @@
{%- if control.priorityclass is defined %}
- kubernetes.control.priorityclass
{%- endif %}
- {%- if control.endpoints is defined %}
- - kubernetes.control.endpoint
- {%- endif %}
{%- if control.ingress is defined %}
- kubernetes.control.ingress
{%- endif %}
diff --git a/kubernetes/control/secret.sls b/kubernetes/control/secret.sls
new file mode 100644
index 0000000..10fc58a
--- /dev/null
+++ b/kubernetes/control/secret.sls
@@ -0,0 +1,33 @@
+{% from "kubernetes/map.jinja" import control with context %}
+include:
+ - kubernetes.control
+
+{%- for secret_name, secret in control.secret.items() %}
+ {%- if secret.get('enabled', false) %}
+
+/srv/kubernetes/secrets/{{ secret.namespace }}/{{ secret_name }}.yml:
+ file.managed:
+ - source: salt://kubernetes/files/secret.yml
+ - user: root
+ - group: root
+ - mode: 750
+ - template: jinja
+ - makedirs: true
+ - require:
+ - file: /srv/kubernetes
+ - defaults:
+ secret: {{ secret|yaml }}
+
+ {%- if secret.get('create', false) %}
+ cmd.wait:
+ - name: kubectl apply -f /srv/kubernetes/secrets/{{ secret.namespace }}/{{ secret_name }}.yml
+ - unless: kubectl get secret -o=custom-columns=NAME:.metadata.name --namespace {{ secret.namespace }} | grep -xq {{ secret_name }}
+ {%- if grains.get('noservices') %}
+ - onlyif: /bin/false
+ {%- endif %}
+ - watch:
+ - file: /srv/kubernetes/secrets/{{ secret.namespace }}/{{ secret_name }}.yml
+ {%- endif %}
+
+ {%- endif %}
+{%- endfor %}
\ No newline at end of file
diff --git a/kubernetes/files/conformance/conformance.yml b/kubernetes/files/conformance/conformance.yml
index 3e6a424..0a5a825 100644
--- a/kubernetes/files/conformance/conformance.yml
+++ b/kubernetes/files/conformance/conformance.yml
@@ -1,3 +1,4 @@
+{%- from "kubernetes/map.jinja" import master with context -%}
{%- from "kubernetes/map.jinja" import full_version -%}
---
apiVersion: v1
@@ -37,13 +38,28 @@
verbs:
- '*'
---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: root-conformance-binding
+roleRef:
+ kind: ClusterRole
+ name: cluster-admin
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: Group
+ name: system:nodes
+ apiGroup: rbac.authorization.k8s.io
+---
apiVersion: v1
kind: Pod
metadata:
name: conformance
namespace: conformance
spec:
+{%- if not master.network.get('opencontrail',{}).get('enabled', False) %}
hostNetwork: true
+{%- endif %}
restartPolicy: Never
serviceAccountName: conformance
affinity:
@@ -51,7 +67,11 @@
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
+{%- if master.network.get('opencontrail',{}).get('enabled', False) %}
+ - key: node-role.kubernetes.io/node
+{%- else %}
- key: node-role.kubernetes.io/master
+{%- endif %}
operator: In
values:
- "true"
@@ -69,18 +89,44 @@
privileged: true
env:
- name: API_SERVER
+{%- if master.network.get('opencontrail',{}).get('enabled', False) %}
+ value: https://10.254.0.1:443
+{%- else %}
value: http://localhost:8080
+{%- endif %}
# Uncomment to use FOCUS for conformance runs
# - name: FOCUS
# value: "Conformance"
# - name: CONCURRENCY
# value: 25
+{%- if master.network.get('opencontrail',{}).get('enabled', False) %}
+ - name: K8S_CA
+ value: /ssl/ca-kubernetes.crt
+ - name: KUBELET_CERT
+ value: /ssl/kubelet-client.crt
+ - name: KUBELET_KEY
+ value: /ssl/kubelet-client.key
+{%- else %}
+# Needed to use only https secured endpoint
+# - name: K8S_CA
+# value: /ssl/ca-kubernetes.crt
+# - name: KUBELET_CERT
+# value: /ssl/kubelet-client.crt
+# - name: KUBELET_KEY
+# value: /ssl/kubelet-client.key
+{%- endif %}
image: docker-prod-local.artifactory.mirantis.com/mirantis/kubernetes/k8s-conformance:v{{ full_version }}
volumeMounts:
- mountPath: /report
name: output-volume
mountPropagation: Bidirectional
+ - mountPath: /ssl
+ name: ssl-auth
+ readOnly: true
volumes:
- hostPath:
path: /tmp/conformance
- name: output-volume
\ No newline at end of file
+ name: output-volume
+ - hostPath:
+ path: /etc/kubernetes/ssl
+ name: ssl-auth
\ No newline at end of file
diff --git a/kubernetes/files/secret.yml b/kubernetes/files/secret.yml
new file mode 100644
index 0000000..0ce9505
--- /dev/null
+++ b/kubernetes/files/secret.yml
@@ -0,0 +1,22 @@
+{% from "kubernetes/map.jinja" import control with context %}
+apiVersion: {{ secret.apiVersion }}
+kind: Secret
+metadata:
+ name: {{ secret_name }}
+ namespace: {{ secret.get('namespace', 'default') }}
+type: Opaque
+{%- if secret.data is defined}
+data:
+ {%- if secret.data.type == 'ssl' %}
+ {%- set ca_crt = salt['cmd.shell']('cat {0} | base64'.format(secret.data.ca_crt_file)) %}
+ {%- set tls_crt = salt['cmd.shell']('cat {0} | base64'.format(secret.data.tls_crt_file)) %}
+ {%- set tls_key = salt['cmd.shell']('cat {0} | base64'.format(secret.data.tls_key_file)) %}
+ ca.crt: {{ ca_crt }}
+ tls.crt: {{ tls_crt }}
+ tls.key: {{ tls_key }}
+ {%- else %}
+ {%- for key, value in secret.data.secrets.items() %}
+ {{ key }}: {{ salt['hashutil.base64_b64encode'](value) }}
+ {%- endfor %}
+ {%- endif %}
+{%- endif %}